-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove tls cipher suite settings #127
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -106,7 +106,6 @@ func main() { | |
ClientCAs: prepareCACertificates(), | ||
MinVersion: tls.VersionTLS12, | ||
PreferServerCipherSuites: true, | ||
CipherSuites: getPreferredCipherSuites(), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Did you see any issue using TLS1.3 clients? Golang uses this CipherSuites setting only for TLS1.0-1.2 communications. It is ignored when TLS1.3 is selected -- server automatically picks the best cipher. Current configuration forces stronger ciphers when TLS1.2 is selected. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The ciphers returned by There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree that it should not have impacted TLS1.3 communication. The requirement is must support TLS 1.3 by default, if not possible, fall back to TLS 1.2. We remove There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I understand the requirements, but the changes have nothing to do with it. REST server already supports TLS1.2 and TLS1.3 as expected. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree server already supports TLS 1.2 and TLS 1.3. I'm confused why "the changes have nothing to do with it". There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hi @maipbui, I am okay to remove the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see your point, will update the PR. |
||
} | ||
|
||
// Prepare HTTPS server | ||
|
@@ -199,17 +198,6 @@ func getTLSClientAuthType() tls.ClientAuthType { | |
} | ||
} | ||
|
||
func getPreferredCipherSuites() []uint16 { | ||
return []uint16{ | ||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | ||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | ||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | ||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | ||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | ||
} | ||
} | ||
|
||
// findAManagementIP returns a valid IPv4 address of eth0. | ||
// Empty string is returned if no address could be resolved. | ||
func findAManagementIP() string { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you planning to upgrade golang version too? If not it is better to retain the PreferServerCipherSuites setting. Without this, the golang 1.15 tls library selects client advertised cipher suite. Hence there is a chance of using an unsafe cipher if the clients are not configured properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will upgrade golang 1.15 and keep disable PreferServerCipherSuites settings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussion, keep Go 1.13 and retain PreferServerCipherSuites. only remove CipherSuites.